Security at Viltreon
Viltreon reads email to sort it. That is a serious responsibility, and the entire service is designed around it.
Your email is never stored
When a new message arrives, Viltreon reads it once, decides which of your labels it belongs to, applies the label, and discards the content. Message bodies, attachments, sender addresses, and recipient lists are processed in memory for the seconds a classification takes and are never written to our database or our logs. The only record we keep is which label was applied, the confidence score, and the model used — and that log is deleted after 30 days.
Viltreon cannot send, delete, or compose email
Gmail bundles reading, labeling, and sending into a single permission (gmail.modify) — the only permission that lets an inbox organizer move a message between labels. Viltreon uses it for exactly that. Our application code contains no send, compose, forward, reply, draft, or delete operations of any kind, and you can revoke access at any time from your Google Account permissions.
Encryption everywhere
- In transit: all traffic is served over TLS, with HTTP Strict Transport Security (HSTS) so browsers refuse to connect insecurely.
- At rest: your Google OAuth tokens and your AI API key are encrypted with AES-256-GCM (authenticated encryption) before they touch our database or cache. The encryption key never lives alongside the data it protects.
Hardened by default
- Every API endpoint requires authentication and is rate limited per user.
- Sessions can be revoked server-side the moment you sign out or delete your account.
- Incoming webhooks are cryptographically verified: Stripe events by HMAC signature, Gmail push notifications by Google-signed tokens.
- A strict Content Security Policy with per-request nonces guards against script injection.
- Production refuses to boot if any security-critical configuration is missing or weak.
Limited Use and verification
Viltreon’s use of Google user data complies with the Google API Services User Data Policy, including the Limited Use requirements. As an app requesting restricted Gmail scopes, Viltreon goes through Google’s verification process, which includes an independent security assessment (CASA).
Your data, your call
You can export your data or delete your account at any time from Settings. Deletion cancels your subscription, revokes Viltreon’s access to your Google account, and removes your data from our database in one step. Details are in our Privacy Policy.
Reporting a vulnerability
If you believe you have found a security issue in Viltreon, please email support@viltreon.com with the details. We read every report and will respond as quickly as we can. Please give us a reasonable window to fix the issue before disclosing it publicly.